Firewall Sub-Interface Across Spine to Leaf for VLAN isolation and Firewall security

  • 1
  • Question
  • Updated 2 years ago
Currently we have SVI's configured on our MLAG.  We'd like to create sub-interfaces on our firewall present those via trunks to our VLANs.  But we are running BGP between Firewall - Spines and Leafs.
Photo of Victor Mendez

Victor Mendez

  • 80 Points 75 badge 2x thumb

Posted 2 years ago

  • 1
Photo of Cnidus

Cnidus, Alum

  • 78 Points 75 badge 2x thumb
Hey Victor, been a while.

Sounds like you're trying to create 2 routing/security domains and hairpin traffic between them to the firewalls. 

If that's a correct interpretation; it's a pretty classic use-case of VRFs. https://docs.cumulusnetworks.com/display/DOCS/Virtual+Routing+and+Forwarding+-+VRF

Obviously, I wouldn't recommend just adding VRF's w/o properly considering the design implications though.

I believe we've got a call setup tomorrow to discuss. Looking forward to that.

-Doug